Linux – Best practices for web server log archiving (Linux + Nginx)

linuxlog-fileslogrotatenginxweb-server

I want to preserve/archive all of my web server logs, and not have any of them be deleted by logrotate. What would a recommended approach be for this? This is a Linux box, running Nginx. Thanks in advance.

(I would prefer to use cronolog, but it appears to not go well with Nginx because of the way Nginx handles logging.)

Best Answer

Do it with logrotate, just tell it what you want...

/var/log/nginx/*.log {
    daily
    dateext
    missingok
    rotate 7305 # 2 decades
    olddir /var/log/nginx/old
    compress
    delaycompress
    notifempty
    create 644 nginx root
    sharedscripts
    postrotate
      if [ -f /var/run/nginx.pid ]; then
        kill -USR1 `cat /var/run/nginx.pid`
      fi
    endscript
}

I don't use nginx, so I used an example I found for the postrotate... If you have a logrotate script already, start with modifying that.

Key parts:

"daily" means every day. You could do weekly or size-based, but that doesn't interact as prettily with "dateext".
"dateext" means it'll give the rotated logfiles a name based on the date instead of a simple number; that way it doesn't have to rename every log file every day and you can tell the date of a logfile from the name of the file
"rotate 7305" -- this is two decades. Keep more or less... logrotate really prefers to have some sort of retirement, but you can set it ridiculously high.
"olddir" has to be on the same filesystem, but that'll keep the logs in a separate dir so you can figure out what's going on
"delaycompress" and "create" help make sure it works with software that doesn't want to work with it

Related Solutions

Logrotate daily and size

If the size directive is used, logrotate will ignore the daily, weekly, monthly, and yearly directives. This is not clear in the documentation when you execute the man logrotate command. However it can be confirmed in practice, and is mentioned in some arbitrary blog posts such as this one.

There is a directive called minsize which according to the logrotate man page is the only size directive that can be used in conjunction with the time ones. However, its still not what you want. Using minsize with daily essentially says: rotate the logs daily, but only when they are at least #MB in size.

To date I have found no way with logrotate to do the condition you require: rotate every day, unless the size exceeds #MB, in which case rotate immediately. I do not think this is supported using only logrotate directives. It might be possible to do with some clever scripting via the script hook directives like prerotate, postrotate, firstaction, and lastaction.

Update:

As of logrotate 3.8.1, maxsize and timeperiod are supported together, which would be the ideal solution. See the answer to this post: How to rotate log based on an interval unless log exceeds a certain size?

Linux – How to remove old log entries from a log file and archive them somewhere else in Linux

Something simple might work for you.

Assuming log entries are on a single line and the lines always start with YYYY-MM-DD then a simple script like this would split the log file by date.

logsplit: usage cat logfile | logsplit

#!/bin/bash
LOGBASEPATH=/logfilepath/logfile
while read LOGLINE ; do
  [[ -z ${LOGLINE} ]] && continue # skip empty
  dayprefix=`echo $LOGLINE | cut -d ' ' -f 1`
  echo $LOGLINE  > $LOGBASEPATH/logname.$dayprefix
done

This would nicely match up with the dateext option of logrotate so you can have one log file per day.

Best Answer

Related Solutions

Logrotate daily and size

Linux – How to remove old log entries from a log file and archive them somewhere else in Linux

Related Topic